INTERNATIONAL STANDARD ISO/IEC 17799 First edition 2000-12-01 Information technology — Code of practice for information security management Technologies de l'information — Code de pratique pour la gestion de sécurité d'information Reference number ISO/IEC 17799:2000(E) © ISO/IEC 2000 ISO/IEC 17799:2000(E) PDF disclaimer This PDF file may contain embedded typefaces In accordance with Adobe's licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing In downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy The ISO Central Secretariat accepts no liability in this area Adobe is a trademark of Adobe Systems Incorporated Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing Every care has been taken to ensure that the file is suitable for use by ISO member bodies In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below © ISO/IEC 2000 All rights reserved Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO's member body in the country of the requester ISO copyright office Case postale 56 · CH-1211 Geneva 20 Tel + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyright@iso.ch Web www.iso.ch Printed in Switzerland ii © ISO/IEC 2000 – All rights reserved ISO/IEC 17799:2000(E) Contents FOREWORD VII INTRODUCTION VIII W HAT IS INFORMATION SECURITY? VIII W HY INFORMATION SECURITY IS NEEDED VIII HOW TO ESTABLISH SECURITY REQUIREMENTS IX A SSESSING SECURITY RISKS IX SELECTING CONTROLS X INFORMATION SECURITY STARTING POINT X CRITICAL SUCCESS FACT ORS .X DEVELOPING YOUR OWN GUIDELINES XI SCOPE TERMS AND DEFINITIONS SECURITY POLICY 3.1 INFORMATION SECURITY POLICY 3.1.1 Information security policy document 3.1.2 Review and evaluation ORGANIZATIONAL SECURITY 4.1 INFORMATION SECURITY INFRASTRUCTURE 4.1.1 Management information security forum 4.1.2 Information security co-ordination 4.1.3 Allocation of information security responsibilities 4.1.4 Authorization process for information processing facilities 4.1.5 Specialist information security advice 4.1.6 Co-operation between organizations 4.1.7 Independent review of information security 4.2 SECURITY OF THIRD PARTY ACCESS 4.2.1 Identification of risks from third party access 4.2.2 Security requirements in third party contracts .6 4.3 OUTSOURCING 4.3.1 Security requirements in outsourcing contracts .7 ASSET CLASSIFICATION AND CONTROL 5.1 A CCOUNTABILITY FOR ASSETS 5.1.1 Inventory of assets 5.2 INFORMATION CLASSIFICATION 5.2.1 Classification guidelines .9 5.2.2 Information labelling and handling PERSONNEL SECURITY .10 6.1 SECURITY IN JOB DEFINITION AND RESOURCING 10 6.1.1 Including security in job responsibilities .10 6.1.2 Personnel screening and policy .10 6.1.3 Confidentiality agreements .11 6.1.4 Terms and conditions of employment .11 6.2 U SER TRAINING 11 6.2.1 Information security education and training 11 6.3 RESPONDING TO SECURITY INCIDENTS AND MALFUNCTIONS 12 6.3.1 Reporting security incidents .12 6.3.2 Reporting security weaknesses 12 6.3.3 Reporting software malfunctions .12 6.3.4 Learning from incidents 13 © ISO/IEC 2000 – All rights reserved iii ISO/IEC 17799:2000(E) 6.3.5 Disciplinary process 13 PHYSICAL AND ENVIRONMENTAL SECURITY .13 7.1 SECURE AREAS 13 7.1.1 Physical security perimeter 13 7.1.2 Physical entry controls 14 7.1.3 Securing offices, rooms and facilities .14 7.1.4 Working in secure areas 15 7.1.5 Isolated delivery and loading areas 15 7.2 EQUIPMENT SECURITY 16 7.2.1 Equipment siting and protection 16 7.2.2 Power supplies 17 7.2.3 Cabling security 17 7.2.4 Equipment maintenance 17 7.2.5 Security of equipment off-premises 18 7.2.6 Secure disposal or re-use of equipment 18 7.3 GENERAL CONTROLS 18 7.3.1 Clear desk and clear screen policy 19 7.3.2 Removal of property 19 COMMUNICATIONS AND OPERATIONS MANAGEMENT 19 8.1 OPERATIONAL PROCEDURES AND RESPONSIBILITIES 19 8.1.1 Documented operating procedures 19 8.1.2 Operational change control .20 8.1.3 Incident management procedures .20 8.1.4 Segregation of duties 21 8.1.5 Separation of development and operational facilities 22 8.1.6 External facilities management .22 8.2 SYSTEM PLANNING AND ACCEPTANCE 23 8.2.1 Capacity planning 23 8.2.2 System acceptance 23 8.3 PROTECTION AGAINST MALICIOUS SOFTWARE 24 8.3.1 Controls against malicious software 24 8.4 HOUSEKEEPING 25 8.4.1 Information back -up 25 8.4.2 Operator logs 25 8.4.3 Fault logging .25 8.5 NETWORK MANAGEMENT 26 8.5.1 Network controls 26 8.6 M EDIA HANDLING AND SECURITY 26 8.6.1 Management of removable computer media 26 8.6.2 Disposal of media .27 8.6.3 Information handling procedures 27 8.6.4 Security of system documentation 28 8.7 EXCHANGES OF INFORMAT ION AND SOFTWARE 28 8.7.1 Information and software exchange agreements 28 8.7.2 Security of media in transit .29 8.7.3 Electronic commerce security 29 8.7.4 Security of electronic mail 30 8.7.5 Security of electronic office systems 31 8.7.6 Publicly available systems 31 8.7.7 Other forms of information exchange .32 ACCESS CONTROL 33 9.1 BUSINESS REQUIREMENT FOR ACCESS CONTROL 33 9.1.1 Access control policy 33 9.2 U SER ACCESS MANAGEMENT 34 9.2.1 User registration 34 9.2.2 Privilege management .34 9.2.3 User password management 35 iv © ISO/IEC 2000 – All rights reserved ISO/IEC 17799:2000(E) 9.2.4 Review of user access rights .35 9.3 U SER RESPONSIBILITIES 36 9.3.1 Password use 36 9.3.2 Unattended user equipment 36 9.4 NETWORK ACCESS CONTROL 37 9.4.1 Policy on use of network services 37 9.4.2 Enforced path 37 9.4.3 User authentication for external connections .38 9.4.4 Node authentication 38 9.4.5 Remote diagnostic port protection 38 9.4.6 Segregation in networks 39 9.4.7 Network connection control .39 9.4.8 Network routing control 39 9.4.9 Security of network services .40 9.5 OPERATING SYSTEM ACCE SS CONTROL 40 9.5.1 Automatic terminal identification 40 9.5.2 Terminal log-on procedures .40 9.5.3 User identification and authentication 41 9.5.4 Password management system 41 9.5.5 Use of system utilities 42 9.5.6 Duress alarm to safeguard users .42 9.5.7 Terminal time-out .42 9.5.8 Limitation of connection time 42 9.6 A PPLICATION ACCESS CONTROL 43 9.6.1 Information access restriction 43 9.6.2 Sensitive system isolation 43 9.7 M ONITORING SYSTEM ACCESS AND USE 44 9.7.1 Event logging 44 9.7.2 Monitoring system use .44 9.7.3 Clock synchronization .45 9.8 M OBILE COMPUTING AND TELEWORKING 46 9.8.1 Mobile computing .46 9.8.2 Teleworking 46 10 SYSTEMS DEVELOPMENT AND MAINTENANCE 47 10.1 SECURITY REQUIREMENTS OF SYSTEMS 47 10.1.1 Security requirements analysis and specification 48 10.2 SECURITY IN APPLICATION SYSTEMS 48 10.2.1 Input data validation 48 10.2.2 Control of internal processing 49 10.2.3 Message authentication .49 10.2.4 Output data validation 50 10.3 CRYPTOGRAPHIC CONTROLS 50 10.3.1 Policy on the use of cryptographic controls 50 10.3.2 Encryption .50 10.3.3 Digital signatures .51 10.3.4 Non-repudiation services 51 10.3.5 Key management 52 10.4 SECURITY OF SYSTEM FILES 53 10.4.1 Control of operational software 53 10.4.2 Protection of system test data 53 10.4.3 Access control to program source library .54 10.5 SECURITY IN DEVELOPMENT AND SUPPORT PROCE SSES 54 10.5.1 Change control procedures 54 10.5.2 Technical review of operating system changes .55 10.5.3 Restrictions on changes to software packages 55 10.5.4 Covert channels and Trojan code .56 10.5.5 Outsourced software development 56 11 BUSINESS CONTINUITY MANAGEMENT 56 © ISO/IEC 2000 – All rights reserved v ISO/IEC 17799:2000(E) 11.1 A SPECTS OF BUSINESS CONTINUITY MANAGEMENT 56 11.1.1 Business continuity management process 57 11.1.2 Business continuity and impact analysis 57 11.1.3 Writing and implementing continuity plans 57 11.1.4 Business continuity planning framework 58 11.1.5 Testing, maintaining and re-assessing business continuity plans .59 12 COMPLIANCE .60 12.1 COMPLIANCE WITH LEGAL REQUIREMENTS 60 12.1.1 Identification of applicable legislation 60 12.1.2 Intellectual property rights (IPR) 60 12.1.3 Safeguarding of organizational records 61 12.1.4 Data protection and privacy of personal information 62 12.1.5 Prevention of misuse of information processing facilities 62 12.1.6 Regulation of cryptographic controls .62 12.1.7 Collection of evidence .63 12.2 REVIEWS OF SECURITY P OLICY AND TECHNICAL COMPLIANCE 63 12.2.1 Compliance with security policy 63 12.2.2 Technical compliance checking .64 12.3 SYSTEM AUDIT CONSIDERATIONS 64 12.3.1 System audit controls 64 12.3.2 Protection of system audit tools .65 vi © ISO/IEC 2000 – All rights reserved ISO/IEC 17799:2000(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity ISO and IEC technical committees collaborate in fields of mutual interest Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote Attention is drawn to the possibility that some of the elements of this International Standard may be the subject of patent rights ISO and IEC shall not be held responsible for identifying any or all such patent rights International Standard ISO/IEC 17799 was prepared by the British Standards Institution (as BS 7799) and was adopted, under a special “fast-track procedure”, by Joint Technical Committee ISO/IEC JTC 1, Information technology, in parallel with its approval by national bodies of ISO and IEC © ISO/IEC 2000 – All rights reserved vii ISO/IEC 17799:2000(E) Introduction What is information security? Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected Information security protects information from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investments and business opportunities Information can exist in many forms It can be printed or written on paper, stored electronically, transmitted by post or using electronic means, shown on films, or spoken in conversation Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected Information security is characterized here as the preservation of: a) confidentiality: ensuring that information is accessible only to those authorized to have access; b) integrity: safeguarding the accuracy and completeness of information and processing methods; c) availability: ensuring that authorized users have access to information and associated assets when required Information security is achieved by implementing a suitable set of controls, which could be policies, practices, procedures, organizational structures and software functions These controls need to be established to ensure that the specific security objectives of the organization are met Why information security is needed Information and the supporting processes, systems and networks are important bus iness assets Confidentiality, integrity and availability of information may be essential to maintain competitive edge, cash-flow, profitability, legal compliance and commercial image Increasingly, organizations and their information systems and networks are faced with security threats from a wide range of sources, including computer-assisted fraud, espionage, sabotage, vandalism, fire or flood Sources of damage such as computer viruses, computer hacking and denial of service attacks have become more common, more ambitious and increasingly sophisticated Dependence on information systems and services means organizations are more vulnerable to security threats The interconnecting of public and private networks and sharing of information resources increases the difficulty of achieving access control The trend to distributed computing has weakened the effectiveness of central, specialist control Many information systems have not been designed to be secure The security that can be achieved through technical means is limited, and should be supported by appropriate management and procedures Identifying which controls should be in place requires careful planning and attention to detail Information security management needs, as a minimum, participation by all employees in the organization It may also require participation from suppliers, customers or shareholders Specialist advice from outside organizations may also be needed viii © ISO/IEC 2000 – All rights reserved ISO/IEC 17799:2000(E) Information security controls are considerably cheaper and more effective if incorporated at the requirements specification and design stage How to establish security requirements It is essential that an organization identifies its security requirements There are three main sources The first source is derived from assessing risks to the organization Through risk assessment threats to assets are identified, vulnerability to and likelihood of occurrence is evaluated and potential impact is estimated The second source is the legal, statutory, regulatory and contractual requirements that an organization, its trading partners, contractors and service providers have to satisfy The third source is the particular set of principles, objectives and requirements for information processing that an organization has developed to support its operations Assessing security risks Security requirements are identified by a methodical assessment of security risks Expenditure on controls needs to be balanced against the business harm likely to result from security failures Risk assessment techniq ues can be applied to the whole organization, or only parts of it, as well as to individual information systems, specific system components or services where this is practicable, realistic and helpful Risk assessment is systematic consideration of: a) the business harm likely to result from a security failure, taking into account the potential consequences of a loss of confidentiality, integrity or availability of the information and other assets; b) the realistic likelihood of such a failure occurring in the light of prevailing threats and vulnerabilities, and the controls currently implemented The results of this assessment will help guide and determine the appropriate management action and priorities for managing information security risks, and for implementing controls selected to protect against these risks The process of assessing risks and selecting controls may need to be performed a number of times to cover different parts of the organization or individual information systems It is important to carry out periodic reviews of security risks and implemented controls to: a) take account of changes to business requirements and priorities; b) consider new threats and vulnerabilities; c) confirm that controls remain effective and appropriate Reviews should be performed at different levels of depth depending on the results of previous assessments and the changing levels of risk that management is prepared to accept Risk assessments are often carried out first at a high level, as a means of prioritizing resources in areas of high risk, and then at a more detailed level, to address specific risks © ISO/IEC 2000 – All rights reserved ix ISO/IEC 17799:2000(E) Selecting controls Once security requirements have been identified, controls should be selected and implemented to ensure risks are reduced to an acceptable level Controls can be selected from this document or from other control sets, or new controls can be designed to meet specific needs as appropriate There are many different ways of managing risks and this document provides examples of common approaches However, it is necessary to recognize that some of the controls are not applicable to every information system or environment, and might not be practicable for all organizations As an example, 8.1.4 describes how duties may be segregated to prevent fraud and error It may not be possible for smaller organizations to segregate all duties and other ways of achieving the same control objective may be necessary As another example, 9.7 and 12.1 describe how system use can be monitored and evidence collected The described controls e.g event logging might conflict with applicable legislation, such as privacy protection for customers or in the workplace Controls should be selected based on the cost of implementation in relation to the risks being reduced and the potential losses if a security breach occurs Non-monetary factors such as loss of reputation should also be taken into account Some of the controls in this document can be considered as guiding principles for information security management and applicable for most organizations They are explained in more detail below under the heading “Information security starting point” Information security starting point A number of controls can be considered as guiding principles providing a good starting point for implementing information security They are either based on essential legislative requirements or considered to be common best practice for information security Controls considered to be essential to an organization from a legislative point of view include: a) data protection and privacy of personal information (see 12.1.4) b) safeguarding of organizational records (see 12.1.3); c) intellectual property rights (see 12.1.2); Controls considered to be common best practice for information security include: a) information security policy document (see 3.1); b) allocation of information security responsibilities (see 4.1.3); c) information security education and training (see 6.2.1); d) reporting security incidents (see 6.3.1); e) business continuity management (see 11.1) These controls apply to most organizations and in most environments It should be noted that although all controls in this document are important, the relevance of any control should be determined in the light of the specific risks an organization is facing Hence, although the above approach is considered a good starting point, it does not replace selection of controls based on a risk assessment Critical success factors Experience has shown that the following factors are often critical to the successful implementation of information security within an organization: x © ISO/IEC 2000 – All rights reserved ISO/IEC 17799:2000(E) b) implementation of emergency procedures to allow recovery and restoration in required time-scales Particular attention needs to be given to the assessment of external business dependencies and the contracts in place; c) documentation of agreed procedures and processes; d) appropriate education of staff in the agreed emergency procedures and processes including crisis management; e) testing and updating of the plans The planning process should focus on the required business objectives, e.g restoring of specific services to customers in an acceptable amount of time The services and resources that will enable this to occur should be considered, including staffing, non-information processing resources, as well as fallback arrangements for information processing facilities 11.1.4 Business continuity planning framework A single framework of business continuity plans should be maintained to ensure that all plans are consistent, and to identify priorities for testing and maintenance Each business continuity plan should specify clearly the conditions for its activation, as well as the individuals responsible for executing each component of the plan When new requirements are identified, established emergency procedures, e.g evacuation plans or any existing fallback arrangements, should be amended as appropriate A business continuity planning framework should consider the following: a) the conditions for activating the plans which describe the process to be followed (how to assess the situation, who is to be involved, etc.) before each plan is activated; b) emergency procedures which describe the actions to be taken following an incident which jeopardizes business operations and/or human life This should include arrangements for public relations management and for effective liaison with appropriate public authorities, e.g police, fire service and local government; c) fallback procedures which describe the actions to be taken to move essential business activities or support services to alternative temporary locations, and to bring business processes back into operation in the required time-scales; d) resumption procedures which describe the actions to be taken to return to normal business operations; e) a maintenance schedule which specifies how and when the plan will be tested, and the process for maintaining the plan; f) awareness and education activities which are designed to create understanding of the business continuity processes and ensure that the processes continue to be effective; g) the responsibilities of the individuals, describing who is responsible for executing which component of the plan Alternatives should be nominated as required Each plan should have a specific owner Emergency procedures, manual fallback plans and resumption plans should be within the responsibility of the owners of the appropriate business resources or processes involved Fallback arrangements for alternative technical services, such as information processing and communications facilities, should usually be the responsibility of the service providers 58 © ISO/IEC 2000 — All rights reserved ISO/IEC 17799:2000(E) 11.1.5 Testing, maintaining and re-assessing business continuity plans 11.1.5.1 Testing the plans Business continuity plans may fail on being tested, often because of incorrect assumptions, oversights, or changes in equipment or personnel They should therefore be tested regularly to ensure that they are up to date and effective Such tests should also ensure that all members of the recovery team and other relevant staff are aware of the plans The test schedule for business continuity plan(s) should indicate how and when each element of the plan should be tested It is recommended to test the individual components of the plan(s) frequently A variety of techniques should be used in order to provide assurance that the plan(s) will operate in real life These should include: a) table-top testing of various scenarios (discussing the business recovery arrangements using example interruptions); b) simulations (particularly for training people in their post-incident/crisis management roles); c) technical recovery testing (ensuring information systems can be restored effectively); d) testing recovery at an alternate site (running business processes in parallel with recovery operations away from the main site); e) tests of supplier facilities and services (ensuring externally provided services and products will meet the contracted commitment); f) complete rehearsals (testing that the organization, personnel, equipment, facilities and processes can cope with interruptions) The techniques can be used by any organization and should reflect the nature of the specific recovery plan 11.1.5.2 Maintaining and re-assessing the plans Business continuity plans should be maintained by regular reviews and updates to ensure their continuing effectiveness (see 11.1.5.1 to 11.1.5.3) Procedures should be included within the organization’s change management programme to ensure that business continuity matters are appropriately addressed Responsibility should be assigned for regular reviews of each business continuity plan; the identification of changes in business arrangements not yet reflected in the business continuity plans should be followed by an appropriate update of the plan This formal change control process should ensure that the updated plans are distributed and reinforced by regular reviews of the complete plan Examples of situations that might necessitate updating plans include the acquisition of new equipment, or upgrading of operational systems and changes in: a) personnel; b) addresses or telephone numbers; c) business strategy; d) location, facilities and resources; e) legislation; f) contractors, suppliers and key customers; © ISO/IEC 2000 — All rights reserved 59 ISO/IEC 17799:2000(E) g) processes, or new/withdrawn ones; h) risk (operational and financial) 12 Compliance 12.1 Compliance with legal requirements Objective: To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements The design, operation, use and management of information systems may be subject to statutory, regulatory and contractual security requirements Advice on specific legal requirements should be sought from the organization’s legal advisers, or suitably qualified legal practitioners Legislative requirements vary from country to country and for information created in one country that is transmitted to another country (i.e trans-border data flow) 12.1.1 Identification of applicable legislation All relevant statutory, regulatory and contractual requirements should be explicitly defined and documented for each information system The specific controls and individual responsibilities to meet these requirements should be similarly defined and documented 12.1.2 Intellectual property rights (IPR) 12.1.2.1 Copyright Appropriate procedures should be implemented to ensure compliance with legal restrictions on the use of material in respect of which there may be intellectual property rights, such as copyright, design rights, trade marks Copyright infringement can lead to legal action which may involve criminal proceedings Legislative, regulatory and contractual requirements may place restrictions on the copying of proprietary material In particular, they may require that only material that is developed by the organization, or that is licensed or provided by the developer to the organization, can be used 12.1.2.2 Software copyright Proprietary software products are usually supplied under a licence agreement that limits the use of the products to specified machines and may limit copying to the creation of back-up copies only The following controls should be considered: a) publishing a software copyright compliance policy which defines the legal use of software and information products; b) issuing standards for the procedures for acquisition of software products; c) maintaining awareness of the software copyright and acquisition policies, and giving notice of the intent to take disciplinary action against staff who breach them; d) maintaining appropriate asset registers; e) maintaining proof and evidence of ownership of licenses, master disks, manuals, etc; f) implementing controls to ensure that any maximum number of users permitted is not exceeded; g) carrying out checks that only authorized software and licensed products are installed; 60 © ISO/IEC 2000 — All rights reserved ISO/IEC 17799:2000(E) h) providing a policy for maintaining appropriate licence conditions; i) providing a policy for disposing or transferring software to others; j) using appropriate audit tools; k) complying with terms and conditions for software and information obtained from public networks (see also 8.7.6) 12.1.3 Safeguarding of organizational records Important records of an organization should be protected from loss, destruction and falsification Some records may need to be securely retained to meet statutory or regulatory requirements, as well as to support essential business activities Examples of this are records that may be required as evidence that an organization operates within statutory or regulatory rules, or to ensure adequate defence against potential civil or criminal action, or to confirm the financial status of an organization with respect to shareholders, partners and auditors The time period and data content for information retention may be set by national law or regulation Records should be categorized into record types, e.g accounting records, database records, transaction logs, audit logs and operational procedures, each with details of retention periods and type of storage media, e.g paper, microfiche, magnetic, optical Any related cryptographic keys associated with encrypted archives or digital signatures (see 10.3.2 and 10.3.3), should be kept securely and made available to authorized persons when needed Consideration should be given to the possibility of degradation of media used for storage of records Storage and handling procedures should be implemented in accordance with manufacturer’s recommendations Where electronic storage media are chosen, procedures to ensure the ability to access data (both media and format readability) throughout the retention period should be included, to safeguard against loss due to future technology change Data storage systems should be chosen such that required data can be retrieved in a manner acceptable to a court of law, e.g all records required can be retrieved in an acceptable timeframe and in an acceptable format The system of storage and handling should ensure clear identification of records and of their statutory or regulatory retention period It should permit appropriate destruction of records after that period if they are not needed by the organization To meet these obligations, the following steps should be taken within an organization a) Guidelines should be issued on the retention, storage, handling and disposal of records and information b) A retention schedule should be drawn up identifying essential record types and the period of time for which they should be retained c) An inventory of sources of key information should be maintained d) Appropriate controls should be implemented to protect essential records and information from loss, destruction and falsification © ISO/IEC 2000 — All rights reserved 61 ISO/IEC 17799:2000(E) 12.1.4 Data protection and privacy of personal information A number of countries have introduced legislation placing controls on the processing and transmission of personal data (generally information on living individuals who can be identified from that information) Such controls may impose duties on those collecting, processing and disseminating personal information, and may restrict the ability to transfer that data to other countries Compliance with data protection legislation requires appropriate management structure and control Often this is best achieved by the appointment of a data protection officer who should provide guidance to managers, users and service providers on their individual responsibilities and the specific procedures that should be followed It should be the responsibility of the owner of the data to inform the data protection officer about any proposals to keep personal information in a structured file, and to ensure awareness of the data protection principles defined in the relevant legislation 12.1.5 Prevention of misuse of information processing facilities The information processing facilities of an organization are provided for business purposes Management should authorize their use Any use of these facilities for non-business or unauthorized purposes, without management approval, should be regarded as improper use of the facilities If such activity is identified by monitoring or other means, it should be brought to the attention of the individual manager concerned for appropriate disciplinary action The legality of monitoring the usage varies from country to country and may require employees to be advised of such monitoring or to obtain their agreement Legal advice should be taken before implementing monitoring procedures Many countries have, or are in the process of introducing, legislation to protect against computer misuse It may be a criminal offence to use a computer for unauthorized purposes It is therefore essential that all users are aware of the precise scope of their permitted access This can, for example, be achieved by giving users written authorization, a copy of which should be signed by the user and securely retained by the organization Employees of an organization, and third party users, should be advised that no access be permitted except that which is authorized At log-on a warning message should be presented on the computer screen indicating that the system being entered is private and that unauthorized access is not permitted The user has to acknowledge and react appropriately to the message on the screen to continue with the log-on process 12.1.6 Regulation of cryptographic controls Some countries have implemented agreements, laws, regulations or other instruments to control the access to or use of cryptographic controls Such control may include: a) import and/or export of computer hardware and software for performing cryptographic functions; b) import and/or export of computer hardware and software which is designed to have cryptographic functions added to it; c) mandatory or discretionary methods of access by the countries to information encrypted by hardware or software to provide confidentiality of content Legal advice should be sought to ensure compliance with national law Before encrypted information or cryptographic controls are moved to another country, legal advice should also be taken 62 © ISO/IEC 2000 — All rights reserved ISO/IEC 17799:2000(E) 12.1.7 Collection of evidence 12.1.7.1 Rules for evidence It is necessary to have adequate evidence to support an action against a person or organization Whenever this action is an internal disciplinary matter the evidence necessary will be described by internal procedures Where the action involves the law, either civil or criminal, the evidence presented should conform to the rules for evidence laid down in the relevant law or in the rules of the specific court in which the case will be heard In general, these rules cover: a) admissibility of evidence: whether or not the evidence can be used in court; b) weight of evidence: the quality and completeness of the evidence; c) adequate evidence that controls have operated correctly and consistently (i.e process control evidence) throughout the period that the evidence to be recovered was stored and processed by the system 12.1.7.2 Admissibility of evidence To achieve admissibility of the evidence, organizations should ensure that their information systems comply with any published standard or code of practice for the production of admissible evidence 12.1.7.3 Quality and completeness of evidence To achieve quality and completeness of the evidence, a strong evidence trail is needed In general, such a strong trail can be established under the following conditions a) For paper documents: the original is kept securely and it is recorded who found it, where it was found, when it was found and who witnessed the discovery Any investigation should ensure that originals are not tampered with b) For information on computer media: copies of any removable media, information on hard disks or in memory should be taken to ensure availability The log of all actions during the copying process should be kept and the process should be witnessed One copy of the media and the log should be kept securely When an incident is first detected, it may not be obvious that it will result in possible court action Therefore, the danger exists that necessary evidence is destroyed accidentally before the seriousness of the incident is realized It is advisable to involve a lawyer or the police early in any contemplated legal action and take advice on the evidence required 12.2 Reviews of security policy and technical compliance Objective: To ensure compliance of systems with organizational security policies and standards The security of information systems should be regularly reviewed Such reviews should be performed against the appropriate security policies and the technical platforms and information systems should be audited for compliance with security implementation standards 12.2.1 Compliance with security policy Managers should ensure that all security procedures within their area of responsibility are carried out correctly In addition, all areas within the organization should be considered for © ISO/IEC 2000 — All rights reserved 63 ISO/IEC 17799:2000(E) regular review to ensure compliance with security policies and standards These should include the following: a) information systems; b) systems providers; c) owners of information and information assets; d) users; e) management Owners of information systems (see 5.1) should support regular reviews of the compliance of their systems with the appropriate security policies, standards and any other security requirements Operational monitoring of system use is covered in 9.7 12.2.2 Technical compliance checking Information systems should be regularly checked for compliance with security implementation standards Technical compliance checking involves the examination of operational systems to ensure that hardware and software controls have been correctly implemented This type of compliance checking requires specialist technical assistance It should be performed manually (supported by appropriate software tools, if necessary) by an experienced system engineer, or by an automated software package which generates a technical report for subsequent interpretation by a technical specialist Compliance checking also covers, for example, penetration testing, which might be carried out by independent experts specifically contracted for this purpose This can be useful in detecting vulnerabilities in the system and for checking how effective the controls are in preventing unauthorized access due to these vulnerabilities Caution should be exercised in case success of a penetration test could lead to a compromise of the security of the system and inadvertently exploit other vulnerabilities Any technical compliance check should only be carried out by, or under the supervision of, competent, authorized persons 12.3 System audit considerations Objective: To maximize the effectiveness of and to minimize interference to/from the system audit process There should be controls to safeguard operational systems and audit tools during system audits Protection is also required to safeguard the integrity and prevent misuse of audit tools 12.3.1 System audit controls Audit requirements and activities involving checks on operational systems should be carefully planned and agreed to minimize the risk of disruptions to business processes The following should be observed a) Audit requirements should be agreed with appropriate management b) The scope of the checks should be agreed and controlled c) The checks should be limited to read-only access to software and data d) Access other than read-only should only be allowed for isolated copies of system files, which should be erased when the audit is completed 64 © ISO/IEC 2000 — All rights reserved ISO/IEC 17799:2000(E) e) IT resources for performing the checks should be explicitly identified and made available f) Requirements for special or additional processing should be identified and agreed g) All access should be monitored and logged to produce a reference trail h) All procedures, requirements and responsibilities should be documented 12.3.2 Protection of system audit tools Access to system audit tools, i.e software or data files, should be protected to prevent any possible misuse or compromise Such tools should be separated from development and operational systems and not held in tape libraries or user areas, unless given an appropriate level of additional protection © ISO/IEC 2000 — All rights reserved 65 ISO/IEC 17799:2000(E) Index acceptance, system 8.2.2 access control application of 9.6 business requirements for 9.1 operating system for 9.5 policy for 9.1.1 to program source library 10.4.3 access restriction, information 9.6.1 accountability for assets 5.1 allocation of information security responsibilities 4.1.3 applicability of controls Introduction application access control 9.6 application systems, security in 10.2 secure areas 7.1 working in 7.1.4 assessing your security risks Introduction assessment of risks 2.2 asset classification and control audit considerations 12.3 logs 9.7.1 tools, protection of 12.3.2 authentication message 10.2.3 node 9.4.4 user 9.4.3 authorization process 4.1.4 automatic terminal identification 9.5.1 availability 2.1 back-up of information 8.4.1 business continuity 11 framework for 11.1.4 and impact analysis 11.2 management of 11 management process for 11.1 testing, maintaining and re-assessing plans for 11.1.5 writing and implementing plans for 11.1.3 business requirements for access control 9.1 cabling security 7.2.3 capacity planning 8.2.1 certification 10.3.5.2 change control operational 8.1.2 procedures for 10.5.1 classification of assets guidelines 5.2.1 of information 5.2 clear desk and clear screen policy 7.3.1 clock syncronization 9.7.3 collection of evidence 12.1.7 co-operation between organizations 4.1.6 communications and operations management compliance with legal requirements 12.1 with security policy 12.2.1 confidentiality 2.1 confidentiality agreements 6.1.3 conditions and terms of employment 6.1.4 66 © ISO/IEC 2000 — All rights reserved ISO/IEC 17799:2000(E) contracts security in third party 4.2.2 security in outsourcing 4.3.1 control against malicious software 8.3.1 of internal processing 10.2.2 of operational software 10.4.1 controls, general physical 7.3 copyright IPR 12.1.2.1 software 12.1.2.2 covert channels and Trojan code 10.5.4 critical success factors Introduction cryptographic controls 10.3 policy on the use of 10.3.1 regulation of 10.3.2 delivery and loading areas 7.1.5 developing your own guidelines Introduction development and maintenance of systems 10 and operational facilities, separation of 8.1.5 and support environment, security in 10.5 digital signatures 10.3.3 disciplinary process 6.3.5 disposal of equipment 7.2.6 of media 8.6.2 documentation, security of system 8.6.4 documented operating procedures 8.1.1 downloading of information and software 8.1.3, 8.7.4, 10.2.2 duress alarm 9.5.6 education and training in information security 6.2.1 electronic commerce 8.7.3 mail 8.7.4 office systems 8.7.5 emergency procedures 11.1.3 encryption 10.3.2 enforced path 9.4.2 entry controls 7.1.2 environmental and physical security equipment maintenance of 7.2.4 security of 7.2 siting and protection of 7.2.1 unattended 9.3.2 used off premises 5.2.5 establishing security requirements Introduction evaluation and review of security policy 3.1.2 event logging 9.7.1 evidence, collection of 12.1.7 exchange of information, other forms of 8.7.7 of information and software 8.7 of information and software, agreements for 8.7.1 external facilities management 8.1.6 facilities management, external 8.1.6 facilities, security of offices, rooms and 7.1.3 fallback planning 11.1.3 fault logging 8.4.3 © ISO/IEC 2000 — All rights reserved 67 ISO/IEC 17799:2000(E) forms of information exchange, other 8.7.7 framework for business continuity plans 11.1.4 general physical controls 7.3 guiding principles Introduction hazards, protection of equipment from 7.2.1 home working security of equipment 7.2.5 security of teleworking 9.8.2 housekeeping 8.4 identification of applicable legislation 12.1.1 identification of terminals 9.5.1 identification of users 9.5.3 incidents learning from 6.3.4 management procedures for 8.1.3 reporting of 6.3.1 incidents and malfunctions, reporting of 6.3 independent review of information security 4.1.7 information access, restrictions on 9.6.1 back-up of 8.4.1 classification of 5.2 other forms of exchange of 8.7.7 handling procedures for 8.6.3 labelling and handling 5.2.2 and software, exchanges of 8.7 and software exchange agreements 8.7.1 information security 2.1 co-ordination of 4.1.2 education and training in 6.2.1 infrastructure 4.1 policy for 3.1 policy document for 3.1 requirements for Introduction input data validation 10.2.1 integrity 2.1 intellectual property rights 12.1.2 internal processing, control of 10.2.2 inventory of assets 5.1.1 isolated delivery and loading areas 7.1.5 isolation of sensitive systems 9.6.2 job definition and resourcing 6.1 job responsibilities, security in 6.1.1 key management 10.3.5 labelling and handling of information 5.2.2 learning from incidents 6.3.4 limitation of connection time 9.5.8 logging of events 9.7.1 of faults 8.4.3 log-on procedures 9.5.2 logs, operator 8.4.2 malfunctions, reporting of 6.3.3 malicious software controls against 8.3.1 protection against 8.3 management communications and operations of information security forum of 4.1.1 of networks 8.5 68 © ISO/IEC 2000 — All rights reserved ISO/IEC 17799:2000(E) of removable computer media 8.6.1 of risk 2.3 of user access 9.2 media disposal of 8.6.2 handling and security of 8.6 in transit 8.7.2 removable 8.6.1 message authentication 10.2.3 misuse of information processing facilities 12.1.5 mobile computing 9.8.1 and teleworking 9.8 monitoring system access and use 9.7 system use 9.7.2 network access control of 9.4 connection control of 9.4.7 management of 8.5 routing control of 9.4.8 segregation in 9.4.6 node authentication 9.4.4 non-disclosure agreements 6.1.3 non-repudiation services 10.3.4 office systems, electronic 8.7.5 offices, rooms and facilities, securing 7.1.3 operating procedures 8.1.1 system access control 9.5 operational change control 8.1.2 procedures and responsibilities 8.1 software, control of 10.4.1 operations and communications management operator logs 8.4.2 organization of security organizational records, safeguarding of 12.1.3 other forms of information exchange 8.7.7 output data validation 10.2.4 outsourcing 4.3 outsourced software development 10.5.5 security in contracts 4.3.1 passwords management of, user 9.2.3 management system for 9.5.4 use of 9.3.1 personal information, privacy of 12.1.4 personnel screening and policy 6.1.2 personnel security physical and environmental security entry controls 7.1.2 security perimeter 7.1.1 policy on access control 9.1 on the use of cryptographic controls 10.3.1 on use of network services 9.4.1 security power supplies 7.2.2 prevention of misuse of information processing facilities 12.1.5 © ISO/IEC 2000 — All rights reserved 69 ISO/IEC 17799:2000(E) privilege management 9.2.2 program source library, access control to 10.4.3 property rights, intellectual 12.1.2 protection of equipment from hazards 7.2 against malicious software 8.3 of system audit tools 12.3.2 of system test data 10.4.2 publicly available systems 8.7.6 remote diagnostic port protection 9.4.5 removal of property 7.3.2 reporting security incidents 6.3.1 security weaknesses 6.3.2 software malfunctions 6.3.3 review and evaluation of security policy 3.1.2 requirements for security Introduction responding to incidents 6.3 responsibilities for security in the job 6.1.1 user 9.3 restrictions of changes to software packages 10.5.3 review of information security 4.1.7 of user access rights 9.2.4 risk assessment 2.2 risk management 2.3 routing control 9.4.8 safeguarding of organizational records 12.1.3 scope secure areas 7.1 disposal of equipment in 7.2.6 working in 7.1.4 securing offices, rooms and facilities 7.1.3 security in application systems 10.2 in development and support processes 10.5 education 6.2.1 of electronic commerce 8.7.3 of electronic mail 8.7.4 of electronic office systems 8.7.5 incidents 6.3, 6.3.1 of media in transit 8.7.2 organization policy policy, compliance with 12.2.1 requirements analysis 10.1.1 requirements in outsourcing contracts 4.3.1 requirements in third party contracts 4.2 requirements of systems 10.1 reviews of information processing facilities 12.2 of system documentation 8.6.4 of system files 10.3 of third party access 4.2 weaknesses, reporting of 6.3.2 segregation of duties 8.1.4 in networks 9.4.6 sensitive system isolation 9.6.2 separation of development and operational facilities 8.1.5 70 © ISO/IEC 2000 — All rights reserved ISO/IEC 17799:2000(E) siting of equipment 7.2.1 software copying of 12.1.2.1 malfunctions in 6.3.3 malicious, protection from 6.3 operational control of 10.4.1 packages, restrictions on changes 10.5.3 source program library access control 10.4.3 specialist information security advice 4.1.5 syncronization of clocks 9.7.3 system audit considerations 12.3 audit controls 12.1.3 development and maintenance of 10 documentation 8.6.4 files, security of 10.3 planning and acceptance 8.2 sensitive, isolation of 9.6.2 test data, protection of 10.4.2 technical compliance checking 12.2.2 review of operating system changes 10.5.2 teleworking 9.8.2 terminal identification 9.5.1 log-on procedures 9.5.2 time-out 9.5.7 terms and conditions of employment 6.1.4 test data, protection of 10.4.2 testing, maintaining and re-assessing business continuity plans 11.1.5 third party access 4.2 identification of risks 4.2.1 security requirements in contracts 4.2.2 training 6.2.1 Trojan code and covert channels 10.5.4 unattended user equipment 9.3.2 user access management 9.2 rights, review of 9.2.4 authentication 9.5.3 identifiers 9.2.1 identification 9.5.3 password management 9.2.3 registration 9.2.1 responsibilities 9.3 training 6.2 validation of input data 10.2.1 of output data 10.2.3 virus controls 8.3 working in secure areas 7.1.4 © ISO/IEC 2000 — All rights reserved 71 ISO/IEC 17799:2000(E) ICS 35.040 Price based on 71 pages © ISO/IEC 2000 – All rights reserved